Designing and Building Enterprise DMZs

When people think about securing their DMZs, they mostly think about firewalls, IDSs, VPNs, and hardening of servers within the DMZ.These are all parts of the process, but there is more to securing a DMZ than considering just these items. Some DMZ planners overlook hardening the routers or switches supporting the DMZ so that they cannot be exploited and used as tools to penetrate the network. Routers and switches provide the connectivity, both within the DMZ environment and to other areas of the network to which the DMZ is connected.This makes routers and switches prime targets for hackers to exploit and glean information about the network or simply use as springboards to other devices. Routers and switches on the DMZ, and anywhere else on the network, can also be used to protect resources that they connect via security features, including ACLs, port security, and private VLANs, to name a few.This chapter presents information on how to design and configure some important router and switch security features that enable them to run securely and protect the devices that they connect.
This section covers how routers are implemented within a DMZ environment. We discuss topics such as the placement of routers in traditional DMZ environments, routing traffic into and out of the DMZ, applying access restrictions, and how to lock down the router s many features and services. In this chapter we use the Cisco router and IOS as the baseline for the examples. If you are using another...